redline | 3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f

General

Target

3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe
Size

1.1MB
MD5

6a0d85c36bb45691859ddbe22defe4bf
SHA1

e35e9132b8b8c5827df796f0fafabdf9462d8318
SHA256

3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f
SHA512

222c80523d8a6a99b946bf6e43bccca5e504749201a81c01d8348f52d44644077c4ab6143c2be7a0f43048bb9792ce1d410faab8e0be9529dad152e467258e0d
SSDEEP

24576:XyfJLKyex0OsfeDIczhdd6vz2v6cGTKvyhiQGxN68PN3:idKyypsG8cVm+lGuyzGxNh

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3322172.exe	family_redline
behavioral1/memory/2740-21-0x0000000000410000-0x000000000043A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x6189228.exex3403928.exef3322172.exe

pid process

5104 x6189228.exe
320 x3403928.exe
2740 f3322172.exe

pid	process
5104	x6189228.exe
320	x3403928.exe
2740	f3322172.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exex6189228.exex3403928.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6189228.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3403928.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x6189228.exex3403928.exef3322172.exe3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6189228.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3403928.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3322172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exex6189228.exex3403928.exe

description	pid	process	target process
PID 3916 wrote to memory of 5104	3916	3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe	x6189228.exe
PID 3916 wrote to memory of 5104	3916	3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe	x6189228.exe
PID 3916 wrote to memory of 5104	3916	3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe	x6189228.exe
PID 5104 wrote to memory of 320	5104	x6189228.exe	x3403928.exe
PID 5104 wrote to memory of 320	5104	x6189228.exe	x3403928.exe
PID 5104 wrote to memory of 320	5104	x6189228.exe	x3403928.exe
PID 320 wrote to memory of 2740	320	x3403928.exe	f3322172.exe
PID 320 wrote to memory of 2740	320	x3403928.exe	f3322172.exe
PID 320 wrote to memory of 2740	320	x3403928.exe	f3322172.exe

C:\Users\Admin\AppData\Local\Temp\3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe
"C:\Users\Admin\AppData\Local\Temp\3f74013e47a2d6b409a9fe48cb0568b7d85b40fba4c8549904a3fb392b0e707f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6189228.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6189228.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3403928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3403928.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3322172.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3322172.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6189228.exe

Filesize
750KB

MD5
b57ad9aceceff23e05c4b4887e05e0b3

SHA1
c30913c9d7acdce94183e9e9df35d3412ec47008

SHA256
12c3e72436c5e6011fcb4ce2dccb8b8a34632781095edcbe8131dc296e729bc3

SHA512
d63e921ebe06ac02d94e5880126f9c1c51734907c1bd75e76305c5fac98612fdd22f436a8c330f48a3a981af8725850d59854c0a5264d5809d5f5169de08463a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3403928.exe

Filesize
305KB

MD5
a8226a976c8c758b5726f28e007bb2f7

SHA1
a747ea868ce20e3351066239d6d1d9dacb97c126

SHA256
34ed9f28df4ccd70b5dcf0d1bf1bd93ab460a375a4d10b835d78a1d88a345486

SHA512
d0d3c8d7bd79fe0b00be63e7782476086e1be88b5f8a03674c84db31a6100414d81dff53cd22f9dea3a4709e307a4a85751744621c7a54bda52442d9ed2ce5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3322172.exe

Filesize
145KB

MD5
d21b2c543033dd5aa387664bc76c8b20

SHA1
df55d279ff236bddb009da7554510fe92d4b0580

SHA256
70120fe8425036806e2e24945e81e64e36aa63124e47e38b2fbb97f7ac296e77

SHA512
a241c23f6280169a6f29b07199127ef8b281b6a4ccbe00bc68123f58659a1bfe76651bed4bd54e7097fac9703d202e476a79612be7febe22e4598362e26ba7c1

Download Submit
memory/2740-21-0x0000000000410000-0x000000000043A000-memory.dmp

Filesize
168KB

Download
memory/2740-22-0x0000000005360000-0x0000000005978000-memory.dmp

Filesize
6.1MB

Download
memory/2740-23-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

Filesize
1.0MB

Download
memory/2740-24-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/2740-25-0x0000000004E70000-0x0000000004EAC000-memory.dmp

Filesize
240KB

Download
memory/2740-26-0x0000000004FF0000-0x000000000503C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads